Upcoming planned changes in FHS (file system layout) simplification imply that /usr could become read-only and writable only during RPM operations like install/uninstall/upgrade. We have jar file with browser config generated and signed during the IPA server install. The file is then placed in /usr/share/ipa. This will not work with read-only /usr in Fedora18 or 19.
We need to treat /usr/share/ipa as a template/model content and set up instance-specific version of the files in /var/lib/ipa/ipa-<REALM>. This would be compatible with future FHS changes and also would allow co-existence of multiple IPA instances in future.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=800546
Is this going to be an issue any more after we switch to the plugin based solution? Seems like by addressing https://fedorahosted.org/freeipa/ticket/3094 we solve the problem. Putting into NEEDS_TRIAGE to discuss and close.
Replying to [comment:4 dpal]:
The JAR file is still being generated and used with old browsers which cannot use the new FF plugin. I think there are also other files generated during ipa-server-install, i.e. we need to move the directory.
ipa-server-install
Changing 3.2 priority
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1410354 (Red Hat Enterprise Linux 7)
Metadata Update from @abbra: - Issue assigned to rcritten - Issue set to the milestone: Future Releases
The linked BZ reports that a number of files (as of IPA 4.5) are still written to /usr during install:
/usr/share/ipa/html/ca.crt /usr/share/ipa/html/configure.jar /usr/share/ipa/html/kerberosauth.xpi /usr/share/ipa/html/krb5.ini /usr/share/ipa/html/krb.con /usr/share/ipa/html/krb.js /usr/share/ipa/html/krbrealm.con /usr/share/ipa/html/preferences.html
Metadata Update from @rcritten: - Issue close_status updated to: None
With 4.8 the installer creates
/usr/share/ipa/html/ca.crt /usr/share/ipa/html/krb5.ini /usr/share/ipa/html/krb.con /usr/share/ipa/html/krbrealm.con
We should consider dropping creation of krb5.ini, krb.con and krbrealm.con. These were added to support the MIT Kerberos client in Windows.
That would leave ca.crt as well as the two symlinks ssbrowser.html -> ../../../../etc/ipa/html/ssbrowser.html and unauthorized.html -> ../../../../etc/ipa/html/unauthorized.html.
ca.crt
ssbrowser.html -> ../../../../etc/ipa/html/ssbrowser.html
unauthorized.html -> ../../../../etc/ipa/html/unauthorized.html
I'm puzzled about the HTML files. The appear to be static (no realm/domain specific data) but are stored in /etc/ipa/html.
/etc/ipa/html
IIRC the files were moved to /etc specifically for the read-only /usr reason.
Honestly, ca.crt should probably be a symlink as well otherwise it's possible for it to get out-of-sync with /etc/ipa/ca.crt.
Symlinking ca.crt sounds like a good idea.
Login to comment on this ticket.